云计算环境中面向取证的现场迁移技术研究
|
摘要
云计算的特点是整合计算资源,在保持低成本的状态下提供良好的计算服务质量,企业和个人用户都能通过云计算的海量信息库来实现信息的自由分享。虽然云计算平台可以给广大用户提供高效服务,但是不法分子也可以在此平台上进行违法活动,取证技术是有效发现、证实违法行为的必要手段。但是传统以文件为基础的取证方式已经不适应云计算的服务模式,云计算环境主要由大量的分布式异构虚拟计算资源构成,这些复杂的结构给计算机取证工作的开展带来巨大的挑战。为了适应这些取证环境的变化,实现在云计算环境下进行取证工作成为一个重要的课题。
系统虚拟化技术和数据迁移技术的运用让云计算环境下进行取证工作成为可能。云计算环境下还缺乏可用的取证模型,通过对云计算取证的建模,将云计算平台视为由多个虚拟机构成的系统,其上运行的虚拟机实例可以作为取证分析对象。为了获取取证分析对象,利用了现场迁移技术,在虚拟化软件层对虚拟机实例进行信息保全,保证迁移的镜像文件的内容完整性和一致性。为了在本地化系统中加载虚拟机镜像文件进行取证分析,利用单独划分的临时镜像文件分区作为镜像文件和本地化系统之间的信息交换场所,可以正确加载虚拟机镜像文件,实现云计算环境下的现场取证工作。
为此,首先提出了一种新的云计算环境下的计算机取证模型——云计算取证模型,该模型定义了云计算环境下的工作层次,通过场景描述和过程组件的划分,刻画了完整的取证机制。通过对云计算取证模型的完整性和强隔离性的证明,可以将虚拟机镜像文件作为取证的对象进行分析,进而实现云计算环境下的计算机取证过程。
其次,在云计算平台中通过对虚拟化软件层的控制,利用其状态转换,提出了一种虚拟机镜像文件的迁移方法。通过对虚拟化软件层迁移状态时的上层虚拟机的进程标识,内存映射,网络连接情况信息和文件系统信息进行保存和重构设计,可以完整的保存虚拟机的整个系统状态,并通过本地化镜像加载,将虚拟机镜像整个从云计算平台迁移到本地取证环境中进行分析,实现云计算平台下电子证据的获取。
再次,由于迁移出来的虚拟机镜像文件需要在本地化加载,才能进一步进行取证分析,据此提出了一种临时镜像磁盘的加载方法。为了使镜像文件可以正常在本地环境下加载,设计了一个非文件系统分配的临时磁盘分区作为镜像文件系统和本地设备的操作系统之间信息交互的场所,以保持两个系统在硬件配置和服务的一致性,使虚拟机镜像文件正确加载。
最后,为方便查找分析和管理取证的对象文件,提出了一种针对涉案取证镜像文件的数据库管理结构。通过上述方法的研究,实现了云计算环境下取证工作。
The main advantages of cloud computing are its lower cost by use of computing services to achieve sustainability, and both business and individual users being able to achieve the freedom of information sharing through the cloud mass information. Although cloud computing can provide efficient service to customers, but criminals can also conduct illegal activities on this platform. Forensic technology is effective, proven violations method to prevent crime. But the traditional file-based evidence approach is not suited for cloud computing service model. Large-scale distributed heterogeneous virtual computing infrastructure of non-authorized investigation and evidence gathering is a big challenge in cloud computing environment. In order to meet these changes, forensic work has become an important issue in the cloud computing environment.
System virtualization and data migration technology is possible to use for forensic work in cloud computing environment. Cloud computing is a virtualization platform in the business model. There is lack of available evidence model a cloud computing environment. Cloud computing platform can be viewed as a system composed by multiple virtual organizations if the evidence is modeled by the cloud. And the instance of virtual machines can be used as forensic analysis. In order to obtain the object of forensic analysis, we get use of the site migration technology, virtualization software layer on the virtual machine instances of information security, to ensure the content of the image file transfer integrity and consistency. In order to locate the system in a virtual machine image file to load the forensic analysis by using a separate partition for the temporary image file system image file and the exchange of information between localized sites, you can load the virtual machine image file correctly, the cloud computing evidence of work-site environment.
Therefore, firstly, we proposed a new environment in the cloud model of computer forensics-Cloud Computing Forensics Model (CCFM), CCFM defines the evidence of work under the cloud level, through the scene description and process components division, gives evidence of a complete model. Through the cloud computing model integrity and strong evidence of proof isolation, the virtual machine image file can be analysized as evidence in the cloud computing environment to fulfill computer forensics process.
Secondly, a virtual machine image files migration method have been proposed in the cloud platform virtualization software layer with the use of the state transition. Through the migration of the virtualization software layer on top of virtual machine state, the process of identity, memory mapping, network connection information, and file system information preservation and reconstruction of the design, you can save the complete state of the system virtual machine, and by localization Image loading, the entire virtual machine image transfer from the cloud computing platform to the local forensics analysis environment, under the cloud computing platform for electronic evidence.
Thirdly, a temporary disk image loading methods is introduced. Because migration the virtual machine image file need load in the localization to further forensic analysis. To make image files can be loaded properly in the local environment, the design of a provisional allocation of non-file system image file system disk partition as the operating system and local device information exchange between the sites, to keep the two systems and services in the hardware configuration the consistency of the virtual machine image file loaded correctly.
Finally, a forensic image files in the database involved in the management structure to facilitate the analysis and management to find evidence of the object file. We can achieve evidence by the above method in cloud computing environment.
系统虚拟化技术和数据迁移技术的运用让云计算环境下进行取证工作成为可能。云计算环境下还缺乏可用的取证模型,通过对云计算取证的建模,将云计算平台视为由多个虚拟机构成的系统,其上运行的虚拟机实例可以作为取证分析对象。为了获取取证分析对象,利用了现场迁移技术,在虚拟化软件层对虚拟机实例进行信息保全,保证迁移的镜像文件的内容完整性和一致性。为了在本地化系统中加载虚拟机镜像文件进行取证分析,利用单独划分的临时镜像文件分区作为镜像文件和本地化系统之间的信息交换场所,可以正确加载虚拟机镜像文件,实现云计算环境下的现场取证工作。
为此,首先提出了一种新的云计算环境下的计算机取证模型——云计算取证模型,该模型定义了云计算环境下的工作层次,通过场景描述和过程组件的划分,刻画了完整的取证机制。通过对云计算取证模型的完整性和强隔离性的证明,可以将虚拟机镜像文件作为取证的对象进行分析,进而实现云计算环境下的计算机取证过程。
其次,在云计算平台中通过对虚拟化软件层的控制,利用其状态转换,提出了一种虚拟机镜像文件的迁移方法。通过对虚拟化软件层迁移状态时的上层虚拟机的进程标识,内存映射,网络连接情况信息和文件系统信息进行保存和重构设计,可以完整的保存虚拟机的整个系统状态,并通过本地化镜像加载,将虚拟机镜像整个从云计算平台迁移到本地取证环境中进行分析,实现云计算平台下电子证据的获取。
再次,由于迁移出来的虚拟机镜像文件需要在本地化加载,才能进一步进行取证分析,据此提出了一种临时镜像磁盘的加载方法。为了使镜像文件可以正常在本地环境下加载,设计了一个非文件系统分配的临时磁盘分区作为镜像文件系统和本地设备的操作系统之间信息交互的场所,以保持两个系统在硬件配置和服务的一致性,使虚拟机镜像文件正确加载。
最后,为方便查找分析和管理取证的对象文件,提出了一种针对涉案取证镜像文件的数据库管理结构。通过上述方法的研究,实现了云计算环境下取证工作。
The main advantages of cloud computing are its lower cost by use of computing services to achieve sustainability, and both business and individual users being able to achieve the freedom of information sharing through the cloud mass information. Although cloud computing can provide efficient service to customers, but criminals can also conduct illegal activities on this platform. Forensic technology is effective, proven violations method to prevent crime. But the traditional file-based evidence approach is not suited for cloud computing service model. Large-scale distributed heterogeneous virtual computing infrastructure of non-authorized investigation and evidence gathering is a big challenge in cloud computing environment. In order to meet these changes, forensic work has become an important issue in the cloud computing environment.
System virtualization and data migration technology is possible to use for forensic work in cloud computing environment. Cloud computing is a virtualization platform in the business model. There is lack of available evidence model a cloud computing environment. Cloud computing platform can be viewed as a system composed by multiple virtual organizations if the evidence is modeled by the cloud. And the instance of virtual machines can be used as forensic analysis. In order to obtain the object of forensic analysis, we get use of the site migration technology, virtualization software layer on the virtual machine instances of information security, to ensure the content of the image file transfer integrity and consistency. In order to locate the system in a virtual machine image file to load the forensic analysis by using a separate partition for the temporary image file system image file and the exchange of information between localized sites, you can load the virtual machine image file correctly, the cloud computing evidence of work-site environment.
Therefore, firstly, we proposed a new environment in the cloud model of computer forensics-Cloud Computing Forensics Model (CCFM), CCFM defines the evidence of work under the cloud level, through the scene description and process components division, gives evidence of a complete model. Through the cloud computing model integrity and strong evidence of proof isolation, the virtual machine image file can be analysized as evidence in the cloud computing environment to fulfill computer forensics process.
Secondly, a virtual machine image files migration method have been proposed in the cloud platform virtualization software layer with the use of the state transition. Through the migration of the virtualization software layer on top of virtual machine state, the process of identity, memory mapping, network connection information, and file system information preservation and reconstruction of the design, you can save the complete state of the system virtual machine, and by localization Image loading, the entire virtual machine image transfer from the cloud computing platform to the local forensics analysis environment, under the cloud computing platform for electronic evidence.
Thirdly, a temporary disk image loading methods is introduced. Because migration the virtual machine image file need load in the localization to further forensic analysis. To make image files can be loaded properly in the local environment, the design of a provisional allocation of non-file system image file system disk partition as the operating system and local device information exchange between the sites, to keep the two systems and services in the hardware configuration the consistency of the virtual machine image file loaded correctly.
Finally, a forensic image files in the database involved in the management structure to facilitate the analysis and management to find evidence of the object file. We can achieve evidence by the above method in cloud computing environment.
引文
[1]The Scientific Working Group on Digital Evidence (SWGDE). Digital Evidence: Standards and Principles, Proposed Standards for the Exchange of Digital Evidence. London:International Hi-Tech Crime and Forensics Conference. October 4-7,1999. 19
[2]Dan Farmer, Wietse Venema. Forensic Discovery. Computer Forensics Analysis ClassHandouts. http://www. porcupine.org/forensics/handouts. Html,6th 1999
[3]Chris Prosise, Kevin Mandia. Incident Response:Investigating Computer Crime. New York:McGraw-Hill Companies, June 21,2001.5-15
[4]Technical Working Group for Electronic Crime Scene Investigation. Electronic Crime Scene Investigation:A guide for responders. Washington. DC:The U. S. Department of Justice (DOJ), July,2001.1-5
[5]Dennis McGrath, Vincent Berk, Shu-kai Chin, et al. A Road Map for Digital Forensic Research. New York:Digital Forensic Research Workshop (DFRWS), August 7-8,2001.21~28
[6]David W Hagy. Electronic Crime Scene Investigation:A Guide for First Responders, Second Edition. Washington. DC:The U. S. Department of Justice (DOJ), April, 2001.13~24
[7]麦永浩,孙国梓,许榕生等.计算机取证与分析鉴定.清华大学出版社,2009.303~322
[8]Sarandis M, Dimitrios P, Christos D. On incident handling and response:a state-of-the-art approach. Computers & Security,2006,25(5):351~370
[9]Florian B, Eugene H S. Run-time label propagation for forensic audit data. Computers & Security,2007,26(7-8):496~513
[10]Khatir M, Hejazi S M, Sneiders E. Two-dimensional evidence reliability amplification process model for digital forensics. Third International Annual Workshop on Digital Forensics and Incident Analysis (WDFIA'08).2008.21~29
[11]Carmen-Veronica B, Eugene J H K, Hendrik V L. Modeling of discrete event systems:A holistic and incremental approach using Petri nets. ACM Transactions on Modeling and Computer Simulation (TOMACS),2004,14(4):389~423
[12]Thomas B H, Said H, Pascal Y. Mathematical programming approach to the Petri nets reachability problem. European Journal of Operational Research,2007,177(1): 176~197
[13]Mohamed S, Ali R A, Assaad S, et al. Forensic analysis of logs:Modeling and verification. Knowledge-Based Systems,2007,20(7):671~682
[14]Himanshu K, Jim B, Mehedi B, et al. Palantir:a framework for collaborative incident response and investigation//Proceedings of the 8th Symposium on Identity and Trust on the Internet (Dtrust09). Gaithersburg, ACM,2009.38-51
[15]B Hayes. Cloud Computing. Commun. ACM,2008,51(7):9-11
[16]IBM. IBM Cloud Computing. http://www.ibm.com/ibm/cloud
[17]Amazon. Amazon EC2, Developer Guide. http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/
[18]Amazon. Amazon Elastic Compute Cloud(Amazon EC2). http://aws.amazon.com/ec2
[19]Amazon. Amazon Simple Storage Service (Amazon S3). http://aws.amazon.com/s3
[20]Google. Google App Engine. Http://code.google.com/appengine/
[21]Ghemawat S, Gobioff H, Leung S. The Google file system. ACM SIGOPS Operation Systems Review,2003,37(5):29~43
[22]Horrigan, J. B. Pew Internet-Use of Cloud Computing Application and Services. http://www.pewinternet.org/~/media//Files/Reports/2008/PIP_Cloud.Memo.pdf, 2009
[23]Andrew, Sheldon. The future of forensic computing. Digital Investigation,2:31~35
[24]Dean J, Ghemawat S. MapReduce:Simplified Data processing on Large Clusters. Proeeedings of Usenix Symposium on Operation System Design and implementation, 2004.137~150
[25]Yang H, Dasdan A, Hsiao R, et al. Map reduce merge:simplified relational data processing on large clusters. Proeeedings of the 2007 ACM SIGMOD international conference on Management of data,2007.1029~1040
[26]Isard M, Budiu M, Yu Y, et al. Dryad:distributed data parallel programs from sequential building blocks. Proceedings of the 2007 conference on EuroSys,2007. 59~72
[27]Linderman M, Collins J, Wang H, et al. Merge:a programming model for heterogeneous multi-core systems. Proceedings of ACM Symposium on Architecture Support on Programming Language and Operating Systems. ACM New York, NY, USA,2008.287~296
[28]Chang F, Dean J, Ghemawat S, et al. Bigtable:A distributed storage system for structured data. Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation,2006.205~218
[29]Horrigan J B. Pew Internet-Use of Cloud Computing Application and Services. http://www.pewinternet.org/-/media//Files/Reports/2008/PIP_Cloud.Memo.Pdf, 2009
[30]Goldberg R. Survery of Virtual Machine Research. IEEE Computer,1974,7(6): 34~45
[31]Sugerman J, Venkitachalam G, Lim B. Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor. USENIX Annual Technical Conference,2001.1~14
[32]Waldspurger C A. Memeory resource management in vmware esx server. ACM SIGOPS Operating Systems Review,2002,36:181~194
[33]Heath T, Martin R P, Nguyen T D. Improving cluster availability using workstation validation. Proceedings of the ACM SIGMETRICS. Marina Del Rey, California, USA,2002:217~227
[34]Padala P, Shin K G, Zhu Xiao Yun, et al. Adaptive control of virtualized resources in utility computing environments. Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007. Lisbon, Portugal,2007.289~302
[35]Srinivas Mukkamala, Andrew H Sung, Ajith Abraham. Hybrid multi-agent framework for detection of stealthy probes. Applied Soft Computing,2007,7: 631~641
[36]Vicki, Miller. Computer forensics and electronic discovery:The new management challenge. Computers & security,2006,25:91~96
[37]Rochwerger B, Breitgand D, Levy E, et al. The Reservoir model and architecture for open federated cloud computing. IBM Journal of Research and Development,2009, 53(4):1~17
[38]Vaquero L M, Rodero-Merino L, Caceres J, et al. A break in the clouds:Towards a cloud definition. ACM SIGCOMM Computer Communication Review,2009,39(1): 50~55
[39]Encase by Guidance Software. Http://www.guidancesoftware.com/default.aspx, 2009
[40]Forensic Toolkit(FTK) by Access Data. Http://www.accessdata.com/downloads. html,2009
[41]周刚,麦永浩,曹强等.云计算应用对计算机取证技术的挑战和对策.警察技术,2011,2:38-40
[42]Gang Zhou, Qiang Cao, Chentao Wu. Design and Performance Evaluation of Read/Write Metadata Service Strategy for Large-Scale Storage System. In Proceedings of the SPIE 8th International Symposium on Optical Storage/2008 International Workshop on Information Data Storage. Wuhan, China Nov 2008
[43]Gang Zhou, Qiang Cao, Yonghao Mai. Forensic Analysis using migration in cloud computing Environment.2nd International Conference on Intelligent Transportation Systems and Intelligent Computing, Suzhou, China, June,2011
[44]Clark C, Fraser K, Hand S, et al. Live Migration of Virtual Machines. Proceedings of the 2nd Int'l Conference on Networked Systems Design & Implementation, Berkeley, CA, USA,2005
[45]Wood T. Black-box and Gray-box Strategies for Virtual Machine Migration. Proceedings of the 4th International Conference on Networked Systems Design & Implementation, IEEE Press,2007
[46]Liu Pengcheng, Yang Ziye, Song Xiang, et al. Heterogeneous Live Migration of Virtual Machines. Proc. of the International Workshop on Virtualization Technology, Beijing, China.2008
[47]Nelson M, Lim B, Hutchins G. Fast transparent migration for virtual machines. Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference table of contents. USENIX Association Berkeley, CA, USA,2005.25~25
[48]Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Proceedings of the 2003 Network and Distributed System Security Symposium,2003.191~206
[49]Howell J, Douceur J. Replicated virtual machines. Technical report MSR-TR-2005-119, Microsoft Research,2005
[50]King S T, Dunlap G W, Chen P M. Debugging operating systems with time-traveling virtual machines. Proceedings of the annual conference on USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, USA,2005. 1-1
[51]Lowell D, Saito Y, Samberg E. Devirtualizable virtual machines enabling general, single-node, online maintenance. ACM SIGPLAN Notices,2004,39(11):211~223
[52]Garnkel T, Rosenblum M. When virtual is harder than real:Security challenges in virtual machine based computing environments. In Tenth Workshop on Hot Topics in Operating Systems,2005.25~27
[53]Howell J, Douceur J. Replicated virtual machines. Technical report MSR-TR-2005-119. Microsoft Researeh,2005
[54]Laureano M, Maziero C, Jamhour E. Protecting host-based intrusion detectors through virtual machines. Computer Networks,2007,51:1275~1283
[55]Faifeng X, Sihan Q, Huanguo Z. XEN Virtual Machine Technology and Its Security Analysis. Wuhan University Journal of Natural Sciences,2007,12
[56]Anwar Z, Campbell R H. Secure Reincarnation of Compromised Servers using Xen Based Time-Forking Virtual Machines.5th IEEE International Conference on Pervasive Computing and Communications Workshops, New York, USA.2007. 477~482
[57]Fraser K, Hand S, Neugebauer R, et al. Safe Hardware Access with the Xen Virtual Machine Monitor. Proceedings of the 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure, Boston, Masschusetts, USA.2004.1~10
[58]Quynh N A, Takefuji Y. A Novel Approach for a File-system Integrity Monitor Tool of Xen Virtual Machine. Proceedings of the 2nd ACM Symposium on Information. Computer and Communications Security, Singapore.2007.194~202
[59]Hansen J, Jul E. Self-migration of operating systems. Proceeding of the 11th workshop on ACM SIGOPS European workshop,2004
[60]Krohn M, Brodsky M, Kaashoek M, et al. Information flow control for standard OS abstractions. Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles. ACM Press New York, NY, USA,2007.321~334
[61]Adams K, Agesen O. A comparison of software and hardware techniques for x86 virtualization. Proceedings of the 12th international conference on Architectural support for programming languages and operating systems. ACM New York, NY, USA,2006.2-13
[62]MYERS A, LISKOV B. Protecting Privacy Using the Decentralized Label Model. ACM Transactions on Software Engineering and Methodology,2000,9(4):410~442
[63]Arnold J. Ksplice:An Automatic System for Rebootless Kernel Security Updates. Ph. D. thesis, Massachusetts Institute of Technology,2008
[64]Sun W, Liang Z, Sekar R, et al. One-way Isolation:An Effective Approach for Realizing Safe Execution Environments. Proceedings of Network and Distributed Systems Security Symposium, San Diego, California, USA.2005.1~18
[65]Goldberg I, Wagner D, Thomas R, et al. A Secure Environment for Untrusted Helper Applications:Confining the Wily Hacker. Proceedings of the 6th USENIX Security Symposium, San Jose, California, USA.1996.1~13
[66]Provos N. Improving Host Security with System Call Policies. Proceedings of the 12th USENIX Security Symposium, Washington, D. C., USA.2003.257~271
[67]Armbrust M, Fox A, Griffith R, et al. Above the clouds:A berkeley view of cloud computing. Technical Report UCB/EECS-2009-28,2009
[68]Bogdan C Popescu, Bruno Crispo, Andrew S Tanenbaum. Design and implementation of a secure wide-area object middleware. Computer Networks,2007, 51:2484~2513
[69]Castiglione A, Santis A De, Soriente C. Taking advantages of a disadvantage: Digital forensics and steganography using document metadata. The Journal of Systems and Software,2007,80:750~764
[70]Bressoud T, Schneider F. Hypervisor-based fault tolerance. ACM Transactionson Computer Systems,1996,14(1):80~107
[71]Catalin Grigoras. Applications of ENF criterion in forensic audio, video, computer and telecommunication analysis. Forensic Science International,2007,167: 136~145
[72]Claire LaVelle, Almudena Konrad. FriendlyRoboCopy:A GUI to RoboCopy for computer forensic investigators. Digital investigation,2007,4:16~23
[73]Eric, Freyssinet, Zeno Geradts. Future issues in forensic computing and an introduction to ENSFI. Digital Investigation,2004,1:112~113
[74]Eric, Thompson. MD5 collisions and the impact on computer forensics. Digital Investigation,2005,2:36~40
[75]Eshghi K, Lillibridge M, et al. Jumbo store:providing efficient incremental upload and versioning for a utility rendering service. In Fifth USENIX Conference on File and Storage Technologies,2007
[76]Gartner. Tough questions:Gartner tallies up seven cloud-computing security risks. International Journal of Intelligent Computing Research,2010,1(1):105~106
[77]Hsieh Meng Yen, Huang Yueh Min, Chao Han Chieh. Adaptive security design with malicious node detection in cluster-based sensor networks. Computer Communications,2007,30:2385~2400
[78]Kalle Burbeck, Simin Nadjm-Tehrani. Adaptive real-time anomaly detection with incremental clustering. Information security technical report,2007,12:56~67
[79]Khatir M, Hejazi S M, Sneiders E. Two-dimensional evidence reliability amplification process model for digital forensics. In Third International Annual Workshop on Digital Forensics and Incident Analysis,2008
[80]Kim Tae-Hyoung, Sugie Toshiharu. Cooperative control for target-capturing task based on a cyclic pursuit strategy. Automatica,2007,43:1426~1431
[81]Liao N D, Tian S F, Wang T H. Network forensics based on fuzzy logic and expert system. Computer Communications,2009,32(17):1881~1892
[82]M Zakia, Tarek S Sobh. A cooperative agent-based model for active security systems. Computer Applications,2004,27:201~220
[83]Mansfield-Devine S. Danger in the clouds. Network Security,2008,12:9-11
[84]Marcus K, Rogers, Kate Seigfried. The future of computer forensics:a needs analysis survey. Computers&Security,2004,23:12~16
[85]Mark Taylor, John Haggerty, David Gresty. The legal aspects of corporate computer forensic investigations. Computer law&security report,2007,23:562~566
[86]Menken I. Cloud Computing-The Complete Cornerstone Guide to Cloud Computing Best Practices. United States of America. Emereo Pty Ltd.,2008
[87]Miller M. Cloud Computing-Web-Based Applications That Change the Way You Work and Collaborate Online. United States of America. Que Publishing,2008
[88]Gang Zhou, Yonghao Mai, Qiang Cao. Design and Implementation of VEEL Archive System for Computer Forensics. Proceedings 2010 International Conference on Information Theory and Information Security. BeiJing, China. Dec. 2010.138-141
[89]Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtualization. ACM SIGOPS Operating Systems Review,2003,37(5):163~177
[90]Ian P, Keir F, Steve H, et al. Xen 3.0 and the Art of Virtualization. Proceedings of the Ottawa Linux Symposium, Ottawa, Canada,2005.65~78
[91]Clark B, Deshane T, Dow E, et al. Xen and the Art of Repeated Research. Proceedings of the USENIX Annual Technical Conference, Boston, Massachusetts, USA.2004.47~56
[92]Yaozu D, Shaofan L, Asit M, et al. Extending Xen with Intel Virtualization Technology. Intel Technology Journal,2006,10(3):193~203
[93]Gupta D, Gardner R, Cherkasova L. XenMon:QoS Monitoring and Performance Profiling Tool. Tech Report:HPL-2005-1872005
[94]Mohamed Saleh, Ali Reza, Assaad Sakha. Forensic analysis of logs:Modeling and verification. Knowledge-Based Systems,2007,20:671~682
[95]Oleksiy Mazhelis, Seppo Puuronen. A framework for behavior-based detection of user substitution in a mobile context. Computers & Security,2007,26:154~176
[96]Paul D, Eugene H. An exploration of highly focused, co-processor-based information system protection. Computer Networks,2007,51:1284-1298
[97]Rogers M K, Seigfried K. The Future of Computer Forensics:A Needs Analysis Survey. Computers & Security,2004,23(1):12~16
[98]Sandhya Peddabachigari, Ajith Abraham, Crina Grosan. Modeling intrusion detection system using hybrid intelligent systems. Journal of Network and Computer Applications,2007,30:114~132
[99]Soltesz S, Potzl H, Fiuczynski M, et al. Container-based operating virtualization:a scalable, high-Performance alternative to hypervisors. Proceedings of the 2007 conference on EuroSys, ACM Press NewYork,2007.275~287
[100]Treacy B, Bruening P. Cloud Computing-data protection concerns unwrapped. Privacy and Data Protection PDP,2009,9(3):13
[101]Whitaker A, Shaw M, Gribble S D. Denali:Lightweight Virtual Machines for Distribute and Networked Applications. University of Washington Technical Report 02-02-012002
[102]Whitaker A, Cox R S, Shaw M, et al. Constructing Services with Interposable Virtual Hardware. Proceedings of the 1th Symposium on Network System Design and Implementation, San Francisco, California, USA.2004.13~26
[103]Microsoft. Microsoft Virtual PC 2007. http://www. microsoft. com/windows/ products/winfamily/virtualpc/default. mspx. Access at June 18,2007
[104]Daniel Nurmi, Rich Wolski, Chris Grzegorczyk, et al. The eucalyptus opensource cloud computing system. Proceedings of the 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid,2009.124~131
[105]Armbrust M, Fox A, Griffith R, et al. Above the clouds:A berkeley view of cloud computing. Technical Report UCB/EECS-2009-28,2009.1-25
[106]Irwin D, Chase J S, Grit L, et al. Sharing networked resources with brokered leases. Proceedings of the USENIX Technical Conference. Boston, MA, USA,2006. 199~212
[107]Hacker T J, Meglicki Z. Using queue structures to improve job reliability. Proceedings of the ACM HPDC 2007. Monterey, California, USA,2007.43~54
[108]Buyya R, Ranjan R, Calheiros R N. Modeling and simulation of scalable cloud computing environments and the CloudSim toolkit:Challenges and opportunities. Proceedings of the 7th High Performance Computing and Simulation. Leipzig, Germany,2009.1~11
[109]B Pfaff, T Garfinkel, M Rosenblum. Virtualization aware file systems:getting beyond the limitations of virtual disks. In Proceedings of the Third Symposium on Networked Systems Design and Implementation, May 2006
[2]Dan Farmer, Wietse Venema. Forensic Discovery. Computer Forensics Analysis ClassHandouts. http://www. porcupine.org/forensics/handouts. Html,6th 1999
[3]Chris Prosise, Kevin Mandia. Incident Response:Investigating Computer Crime. New York:McGraw-Hill Companies, June 21,2001.5-15
[4]Technical Working Group for Electronic Crime Scene Investigation. Electronic Crime Scene Investigation:A guide for responders. Washington. DC:The U. S. Department of Justice (DOJ), July,2001.1-5
[5]Dennis McGrath, Vincent Berk, Shu-kai Chin, et al. A Road Map for Digital Forensic Research. New York:Digital Forensic Research Workshop (DFRWS), August 7-8,2001.21~28
[6]David W Hagy. Electronic Crime Scene Investigation:A Guide for First Responders, Second Edition. Washington. DC:The U. S. Department of Justice (DOJ), April, 2001.13~24
[7]麦永浩,孙国梓,许榕生等.计算机取证与分析鉴定.清华大学出版社,2009.303~322
[8]Sarandis M, Dimitrios P, Christos D. On incident handling and response:a state-of-the-art approach. Computers & Security,2006,25(5):351~370
[9]Florian B, Eugene H S. Run-time label propagation for forensic audit data. Computers & Security,2007,26(7-8):496~513
[10]Khatir M, Hejazi S M, Sneiders E. Two-dimensional evidence reliability amplification process model for digital forensics. Third International Annual Workshop on Digital Forensics and Incident Analysis (WDFIA'08).2008.21~29
[11]Carmen-Veronica B, Eugene J H K, Hendrik V L. Modeling of discrete event systems:A holistic and incremental approach using Petri nets. ACM Transactions on Modeling and Computer Simulation (TOMACS),2004,14(4):389~423
[12]Thomas B H, Said H, Pascal Y. Mathematical programming approach to the Petri nets reachability problem. European Journal of Operational Research,2007,177(1): 176~197
[13]Mohamed S, Ali R A, Assaad S, et al. Forensic analysis of logs:Modeling and verification. Knowledge-Based Systems,2007,20(7):671~682
[14]Himanshu K, Jim B, Mehedi B, et al. Palantir:a framework for collaborative incident response and investigation//Proceedings of the 8th Symposium on Identity and Trust on the Internet (Dtrust09). Gaithersburg, ACM,2009.38-51
[15]B Hayes. Cloud Computing. Commun. ACM,2008,51(7):9-11
[16]IBM. IBM Cloud Computing. http://www.ibm.com/ibm/cloud
[17]Amazon. Amazon EC2, Developer Guide. http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/
[18]Amazon. Amazon Elastic Compute Cloud(Amazon EC2). http://aws.amazon.com/ec2
[19]Amazon. Amazon Simple Storage Service (Amazon S3). http://aws.amazon.com/s3
[20]Google. Google App Engine. Http://code.google.com/appengine/
[21]Ghemawat S, Gobioff H, Leung S. The Google file system. ACM SIGOPS Operation Systems Review,2003,37(5):29~43
[22]Horrigan, J. B. Pew Internet-Use of Cloud Computing Application and Services. http://www.pewinternet.org/~/media//Files/Reports/2008/PIP_Cloud.Memo.pdf, 2009
[23]Andrew, Sheldon. The future of forensic computing. Digital Investigation,2:31~35
[24]Dean J, Ghemawat S. MapReduce:Simplified Data processing on Large Clusters. Proeeedings of Usenix Symposium on Operation System Design and implementation, 2004.137~150
[25]Yang H, Dasdan A, Hsiao R, et al. Map reduce merge:simplified relational data processing on large clusters. Proeeedings of the 2007 ACM SIGMOD international conference on Management of data,2007.1029~1040
[26]Isard M, Budiu M, Yu Y, et al. Dryad:distributed data parallel programs from sequential building blocks. Proceedings of the 2007 conference on EuroSys,2007. 59~72
[27]Linderman M, Collins J, Wang H, et al. Merge:a programming model for heterogeneous multi-core systems. Proceedings of ACM Symposium on Architecture Support on Programming Language and Operating Systems. ACM New York, NY, USA,2008.287~296
[28]Chang F, Dean J, Ghemawat S, et al. Bigtable:A distributed storage system for structured data. Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation,2006.205~218
[29]Horrigan J B. Pew Internet-Use of Cloud Computing Application and Services. http://www.pewinternet.org/-/media//Files/Reports/2008/PIP_Cloud.Memo.Pdf, 2009
[30]Goldberg R. Survery of Virtual Machine Research. IEEE Computer,1974,7(6): 34~45
[31]Sugerman J, Venkitachalam G, Lim B. Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor. USENIX Annual Technical Conference,2001.1~14
[32]Waldspurger C A. Memeory resource management in vmware esx server. ACM SIGOPS Operating Systems Review,2002,36:181~194
[33]Heath T, Martin R P, Nguyen T D. Improving cluster availability using workstation validation. Proceedings of the ACM SIGMETRICS. Marina Del Rey, California, USA,2002:217~227
[34]Padala P, Shin K G, Zhu Xiao Yun, et al. Adaptive control of virtualized resources in utility computing environments. Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007. Lisbon, Portugal,2007.289~302
[35]Srinivas Mukkamala, Andrew H Sung, Ajith Abraham. Hybrid multi-agent framework for detection of stealthy probes. Applied Soft Computing,2007,7: 631~641
[36]Vicki, Miller. Computer forensics and electronic discovery:The new management challenge. Computers & security,2006,25:91~96
[37]Rochwerger B, Breitgand D, Levy E, et al. The Reservoir model and architecture for open federated cloud computing. IBM Journal of Research and Development,2009, 53(4):1~17
[38]Vaquero L M, Rodero-Merino L, Caceres J, et al. A break in the clouds:Towards a cloud definition. ACM SIGCOMM Computer Communication Review,2009,39(1): 50~55
[39]Encase by Guidance Software. Http://www.guidancesoftware.com/default.aspx, 2009
[40]Forensic Toolkit(FTK) by Access Data. Http://www.accessdata.com/downloads. html,2009
[41]周刚,麦永浩,曹强等.云计算应用对计算机取证技术的挑战和对策.警察技术,2011,2:38-40
[42]Gang Zhou, Qiang Cao, Chentao Wu. Design and Performance Evaluation of Read/Write Metadata Service Strategy for Large-Scale Storage System. In Proceedings of the SPIE 8th International Symposium on Optical Storage/2008 International Workshop on Information Data Storage. Wuhan, China Nov 2008
[43]Gang Zhou, Qiang Cao, Yonghao Mai. Forensic Analysis using migration in cloud computing Environment.2nd International Conference on Intelligent Transportation Systems and Intelligent Computing, Suzhou, China, June,2011
[44]Clark C, Fraser K, Hand S, et al. Live Migration of Virtual Machines. Proceedings of the 2nd Int'l Conference on Networked Systems Design & Implementation, Berkeley, CA, USA,2005
[45]Wood T. Black-box and Gray-box Strategies for Virtual Machine Migration. Proceedings of the 4th International Conference on Networked Systems Design & Implementation, IEEE Press,2007
[46]Liu Pengcheng, Yang Ziye, Song Xiang, et al. Heterogeneous Live Migration of Virtual Machines. Proc. of the International Workshop on Virtualization Technology, Beijing, China.2008
[47]Nelson M, Lim B, Hutchins G. Fast transparent migration for virtual machines. Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference table of contents. USENIX Association Berkeley, CA, USA,2005.25~25
[48]Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Proceedings of the 2003 Network and Distributed System Security Symposium,2003.191~206
[49]Howell J, Douceur J. Replicated virtual machines. Technical report MSR-TR-2005-119, Microsoft Research,2005
[50]King S T, Dunlap G W, Chen P M. Debugging operating systems with time-traveling virtual machines. Proceedings of the annual conference on USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, USA,2005. 1-1
[51]Lowell D, Saito Y, Samberg E. Devirtualizable virtual machines enabling general, single-node, online maintenance. ACM SIGPLAN Notices,2004,39(11):211~223
[52]Garnkel T, Rosenblum M. When virtual is harder than real:Security challenges in virtual machine based computing environments. In Tenth Workshop on Hot Topics in Operating Systems,2005.25~27
[53]Howell J, Douceur J. Replicated virtual machines. Technical report MSR-TR-2005-119. Microsoft Researeh,2005
[54]Laureano M, Maziero C, Jamhour E. Protecting host-based intrusion detectors through virtual machines. Computer Networks,2007,51:1275~1283
[55]Faifeng X, Sihan Q, Huanguo Z. XEN Virtual Machine Technology and Its Security Analysis. Wuhan University Journal of Natural Sciences,2007,12
[56]Anwar Z, Campbell R H. Secure Reincarnation of Compromised Servers using Xen Based Time-Forking Virtual Machines.5th IEEE International Conference on Pervasive Computing and Communications Workshops, New York, USA.2007. 477~482
[57]Fraser K, Hand S, Neugebauer R, et al. Safe Hardware Access with the Xen Virtual Machine Monitor. Proceedings of the 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure, Boston, Masschusetts, USA.2004.1~10
[58]Quynh N A, Takefuji Y. A Novel Approach for a File-system Integrity Monitor Tool of Xen Virtual Machine. Proceedings of the 2nd ACM Symposium on Information. Computer and Communications Security, Singapore.2007.194~202
[59]Hansen J, Jul E. Self-migration of operating systems. Proceeding of the 11th workshop on ACM SIGOPS European workshop,2004
[60]Krohn M, Brodsky M, Kaashoek M, et al. Information flow control for standard OS abstractions. Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles. ACM Press New York, NY, USA,2007.321~334
[61]Adams K, Agesen O. A comparison of software and hardware techniques for x86 virtualization. Proceedings of the 12th international conference on Architectural support for programming languages and operating systems. ACM New York, NY, USA,2006.2-13
[62]MYERS A, LISKOV B. Protecting Privacy Using the Decentralized Label Model. ACM Transactions on Software Engineering and Methodology,2000,9(4):410~442
[63]Arnold J. Ksplice:An Automatic System for Rebootless Kernel Security Updates. Ph. D. thesis, Massachusetts Institute of Technology,2008
[64]Sun W, Liang Z, Sekar R, et al. One-way Isolation:An Effective Approach for Realizing Safe Execution Environments. Proceedings of Network and Distributed Systems Security Symposium, San Diego, California, USA.2005.1~18
[65]Goldberg I, Wagner D, Thomas R, et al. A Secure Environment for Untrusted Helper Applications:Confining the Wily Hacker. Proceedings of the 6th USENIX Security Symposium, San Jose, California, USA.1996.1~13
[66]Provos N. Improving Host Security with System Call Policies. Proceedings of the 12th USENIX Security Symposium, Washington, D. C., USA.2003.257~271
[67]Armbrust M, Fox A, Griffith R, et al. Above the clouds:A berkeley view of cloud computing. Technical Report UCB/EECS-2009-28,2009
[68]Bogdan C Popescu, Bruno Crispo, Andrew S Tanenbaum. Design and implementation of a secure wide-area object middleware. Computer Networks,2007, 51:2484~2513
[69]Castiglione A, Santis A De, Soriente C. Taking advantages of a disadvantage: Digital forensics and steganography using document metadata. The Journal of Systems and Software,2007,80:750~764
[70]Bressoud T, Schneider F. Hypervisor-based fault tolerance. ACM Transactionson Computer Systems,1996,14(1):80~107
[71]Catalin Grigoras. Applications of ENF criterion in forensic audio, video, computer and telecommunication analysis. Forensic Science International,2007,167: 136~145
[72]Claire LaVelle, Almudena Konrad. FriendlyRoboCopy:A GUI to RoboCopy for computer forensic investigators. Digital investigation,2007,4:16~23
[73]Eric, Freyssinet, Zeno Geradts. Future issues in forensic computing and an introduction to ENSFI. Digital Investigation,2004,1:112~113
[74]Eric, Thompson. MD5 collisions and the impact on computer forensics. Digital Investigation,2005,2:36~40
[75]Eshghi K, Lillibridge M, et al. Jumbo store:providing efficient incremental upload and versioning for a utility rendering service. In Fifth USENIX Conference on File and Storage Technologies,2007
[76]Gartner. Tough questions:Gartner tallies up seven cloud-computing security risks. International Journal of Intelligent Computing Research,2010,1(1):105~106
[77]Hsieh Meng Yen, Huang Yueh Min, Chao Han Chieh. Adaptive security design with malicious node detection in cluster-based sensor networks. Computer Communications,2007,30:2385~2400
[78]Kalle Burbeck, Simin Nadjm-Tehrani. Adaptive real-time anomaly detection with incremental clustering. Information security technical report,2007,12:56~67
[79]Khatir M, Hejazi S M, Sneiders E. Two-dimensional evidence reliability amplification process model for digital forensics. In Third International Annual Workshop on Digital Forensics and Incident Analysis,2008
[80]Kim Tae-Hyoung, Sugie Toshiharu. Cooperative control for target-capturing task based on a cyclic pursuit strategy. Automatica,2007,43:1426~1431
[81]Liao N D, Tian S F, Wang T H. Network forensics based on fuzzy logic and expert system. Computer Communications,2009,32(17):1881~1892
[82]M Zakia, Tarek S Sobh. A cooperative agent-based model for active security systems. Computer Applications,2004,27:201~220
[83]Mansfield-Devine S. Danger in the clouds. Network Security,2008,12:9-11
[84]Marcus K, Rogers, Kate Seigfried. The future of computer forensics:a needs analysis survey. Computers&Security,2004,23:12~16
[85]Mark Taylor, John Haggerty, David Gresty. The legal aspects of corporate computer forensic investigations. Computer law&security report,2007,23:562~566
[86]Menken I. Cloud Computing-The Complete Cornerstone Guide to Cloud Computing Best Practices. United States of America. Emereo Pty Ltd.,2008
[87]Miller M. Cloud Computing-Web-Based Applications That Change the Way You Work and Collaborate Online. United States of America. Que Publishing,2008
[88]Gang Zhou, Yonghao Mai, Qiang Cao. Design and Implementation of VEEL Archive System for Computer Forensics. Proceedings 2010 International Conference on Information Theory and Information Security. BeiJing, China. Dec. 2010.138-141
[89]Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtualization. ACM SIGOPS Operating Systems Review,2003,37(5):163~177
[90]Ian P, Keir F, Steve H, et al. Xen 3.0 and the Art of Virtualization. Proceedings of the Ottawa Linux Symposium, Ottawa, Canada,2005.65~78
[91]Clark B, Deshane T, Dow E, et al. Xen and the Art of Repeated Research. Proceedings of the USENIX Annual Technical Conference, Boston, Massachusetts, USA.2004.47~56
[92]Yaozu D, Shaofan L, Asit M, et al. Extending Xen with Intel Virtualization Technology. Intel Technology Journal,2006,10(3):193~203
[93]Gupta D, Gardner R, Cherkasova L. XenMon:QoS Monitoring and Performance Profiling Tool. Tech Report:HPL-2005-1872005
[94]Mohamed Saleh, Ali Reza, Assaad Sakha. Forensic analysis of logs:Modeling and verification. Knowledge-Based Systems,2007,20:671~682
[95]Oleksiy Mazhelis, Seppo Puuronen. A framework for behavior-based detection of user substitution in a mobile context. Computers & Security,2007,26:154~176
[96]Paul D, Eugene H. An exploration of highly focused, co-processor-based information system protection. Computer Networks,2007,51:1284-1298
[97]Rogers M K, Seigfried K. The Future of Computer Forensics:A Needs Analysis Survey. Computers & Security,2004,23(1):12~16
[98]Sandhya Peddabachigari, Ajith Abraham, Crina Grosan. Modeling intrusion detection system using hybrid intelligent systems. Journal of Network and Computer Applications,2007,30:114~132
[99]Soltesz S, Potzl H, Fiuczynski M, et al. Container-based operating virtualization:a scalable, high-Performance alternative to hypervisors. Proceedings of the 2007 conference on EuroSys, ACM Press NewYork,2007.275~287
[100]Treacy B, Bruening P. Cloud Computing-data protection concerns unwrapped. Privacy and Data Protection PDP,2009,9(3):13
[101]Whitaker A, Shaw M, Gribble S D. Denali:Lightweight Virtual Machines for Distribute and Networked Applications. University of Washington Technical Report 02-02-012002
[102]Whitaker A, Cox R S, Shaw M, et al. Constructing Services with Interposable Virtual Hardware. Proceedings of the 1th Symposium on Network System Design and Implementation, San Francisco, California, USA.2004.13~26
[103]Microsoft. Microsoft Virtual PC 2007. http://www. microsoft. com/windows/ products/winfamily/virtualpc/default. mspx. Access at June 18,2007
[104]Daniel Nurmi, Rich Wolski, Chris Grzegorczyk, et al. The eucalyptus opensource cloud computing system. Proceedings of the 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid,2009.124~131
[105]Armbrust M, Fox A, Griffith R, et al. Above the clouds:A berkeley view of cloud computing. Technical Report UCB/EECS-2009-28,2009.1-25
[106]Irwin D, Chase J S, Grit L, et al. Sharing networked resources with brokered leases. Proceedings of the USENIX Technical Conference. Boston, MA, USA,2006. 199~212
[107]Hacker T J, Meglicki Z. Using queue structures to improve job reliability. Proceedings of the ACM HPDC 2007. Monterey, California, USA,2007.43~54
[108]Buyya R, Ranjan R, Calheiros R N. Modeling and simulation of scalable cloud computing environments and the CloudSim toolkit:Challenges and opportunities. Proceedings of the 7th High Performance Computing and Simulation. Leipzig, Germany,2009.1~11
[109]B Pfaff, T Garfinkel, M Rosenblum. Virtualization aware file systems:getting beyond the limitations of virtual disks. In Proceedings of the Third Symposium on Networked Systems Design and Implementation, May 2006